Cyber Safety Review Board warns that Log4j event is an “endemic vulnerability”
According to the report, "The pace, pressure, and publicity compounded the
defensive challenges." As a result, researchers found additional vulnerabilities
in Log4j, contributing to confusion and "patching fatigue," and "responders
found it difficult to find authoritative sources of information on how to
address the issues. This frenetic period culminated in one of the most intensive
cybersecurity community responses in history." ... The few organizations that
responded effectively to the event "understood their use of Log4j and had
technical resources and mature processes to manage assets, assess risk, and
mobilize their organization and key partners to action. Most modern security
frameworks call out these capabilities as best practices." ... A fog still
hovers over the event because, "No authoritative source exists to understand
exploitation trends across geographies, industries or ecosystems. Many
organizations do not even collect information on specific Log4j exploitation,
and reporting is still largely voluntary. Most importantly, however, the Log4j
event is not over."
DTN’s CTO on combining IT systems after a merger
Enterprises often make strategic errors when combining IT systems following an
acquisition, Ewe says. “The number one mistake I see is, ‘Since we acquired you,
clearly we win,’” he says. “Just because A bought B, you don’t want to assume
that A has better technology than B.” Another common mistake is to go solely by
the numbers, picking one company’s IT system over the other’s because it has the
highest revenue or profitability, he says: “The issue there is that you’re
oversimplifying the process.” Given the investment in time and money necessary
to merge two companies’ IT systems, “it’s worthwhile spending an extra few weeks
up-front to make a more thorough analysis of which solution or which pieces of
which solutions should come together,” Ewe says. Jumping straight in and making
a wrong decision can cost more in the long term. Ewe consulted with product and
sales management, and with customers, to identify the needs DTN’s single engine
would have to satisfy, as well as the use cases it would serve, before
evaluating the existing assets against those needs.
Ransomware and backup: Overcoming the challenges
Recovering data after a ransomware attack is more complex and more risky than
recovery from a system outage or natural disaster. The greatest risk is that
backups contain undetected ransomware, which then replicate into the production
system or recovered systems. This risk is reduced by using air-gapped copies and
immutable copies and snapshots, and keeping more copies than would be required
for conventional backup alone. This requires a more cautious approach to data
recovery, and one that can be at odds with the commercial pressures for short
RTOs and recent RPOs. Matters are made more difficult because there are no
viable, fool-proof systems that can scan data for ransomware before it is backed
up, says Barnaby Mote, managing director at backup specialist Databarracks.
“Before ransomware was a thing, replicating data from production systems to DR
as quickly as possible was a sound recovery strategy for conventional
disasters,” he says. “Now, with ransomware, it has the opposite of the desired
effect, rendering recovery systems unusable.”
Continuous Intelligence: Definition, Benefits, and Examples
While humans cannot inspect every possible characteristic and combination in the
flood of incoming data, machines can. Complementing analytics that provide
precise answers to questions users know to ask, a machine can continuously
monitor data in the background to detect unknown correlations and trends that
deviate from what would have been expected by the system based on previous
observations. This way, companies can identify hidden, but potentially relevant
signals in the data. Gartner predicts that by 2022, more than half of major new
business systems will incorporate continuous intelligence capabilities. By
integrating artificial intelligence (AI)-based continuous intelligence into
their day-to-day operations, companies can:Boost efficiency by spending less
time sifting through data from a variety of disparate sources; Focus on what
really matters for their business; Speed time to action. By automatically
inspecting critical business health indicators such as revenue, Web page views,
active users, or transaction volume in real time, businesses can accelerate
their time to insight and action and better respond to situations before
business is impacted.
7 reasons Java is still great
As a longtime Java programmer, it was surprising—astonishing, actually—to watch
the language successfully incorporate lambdas and closures. Adding functional
constructs to an object-oriented programming language was a highly controversial
and impressive feat. So was absorbing concepts introduced by technologies like
Hibernate and Spring (JSR 317 and JSR 330, respectively) into the official
platform. That such a widely used technology can still integrate new ideas is
heartening. Java's responsiveness helps to ensure the language incorporates
useful improvements. it also means that developers know they are working within
a living system, one that is being nurtured and cultivated for success in a
changing world. Project Loom—an ambitious effort to re-architect Java’s
concurrency model—is one example of a project that underscores Java's commitment
to evolving. Several other proposals currently working through the JCP
demonstrate a similar willingness to go after significant goals to improve Java
technology. The people working on Java are only half of the story. The people
who work with it are the other half, and they are reflective of the diversity of
Java's many uses.
Search Here: Ransomware Groups Refine High-Pressure Tactics
Ransomware groups continue to refine the tactics they use to better pressure
victims into paying. And they're succeeding. "In recent months, we have seen an
increase in the number of ransomware attacks and ransom amounts being paid," the
heads of Britain's lead cybersecurity agency and privacy watchdog warned last
week in an open letter to the legal industry. The impetus for the alert from
Britain's National Cyber Security Center - the public-facing arm of intelligence
agency GCHQ - and the Information Commissioner's Office: They're urging
solicitors to never advise clients to pay a ransom. Doing so will not lessen any
penalties the ICO might levy, helps perpetuate the ransomware business model and
could violate U.S. sanctions, they say. But the increase in ransoms being paid
speaks to the success of ransomware groups' continuing innovation. Psychological
pressure remains a specialty. After infecting systems, many types of ransomware
reboot infected PCs to a lock screen that lists the ransom demand, a
cryptocurrency wallet address for routing funds and a countdown timer.
Functional programming is finally going mainstream
For some, using an object-oriented language like Java, JavaScript, or C# for
functional programming can feel like swimming upstream. “A language can steer
you towards certain solutions or styles of solutions,” says Gabriella Gonzalez,
an engineering manager at Arista Networks. “In Haskell, the path of least
resistance is functional programming. You can do functional programming in Java,
but it’s not the path of least resistance.” A bigger issue for those mixing
paradigms is that you can’t expect the same guarantees you might receive from
pure functions if your code includes other programming styles. “If you’re
writing code that can have side effects, it’s not functional anymore,” Williams
says. “You might be able to rely on parts of that code base. I’ve made various
functions that are very modular, so that nothing touches them.” Working with
strictly functional programming languages makes it harder to accidentally
introduce side effects into your code. “The key thing about writing functional
programming in something like C# is that you have to be careful because you can
take shortcuts and then you’ve got the exact sort of mess you would have if you
weren’t using functional programming at all,” Louth says.
Safeguarding the open source model amidst big tech involvement
Two of the main techniques to safeguard open source and its community are
through smart licensing tactics and constant innovation. The first technique is
to simply switch the project licence from an open source licence to a more
restrictive licence. There are two specific licences that can be used to protect
against clouds and corporations: AGPL-3 and SSPL — specifically developed by the
likes of MongoDB, Elastic and Grafana to protect themselves from AWS. For
instance, while many projects shifted away from GPL-style licences towards more
permissive forms of licensing, under GPL, contributors are required to make
their code available to the open source community; the so-called “copyleft”.
This traditional licensing style helps to create a more open, transparent
ecosystem. Another way in which open source can safeguard its future is through
smart innovations. Constantly innovating in order to satisfy users should be the
way forward for the evolution of open source projects and solutions. This would
enable companies to maintain their competitive edge and keep up with
technological trends.
5 ways fear can derail your digital transformation strategy
When we confront new work technologies such as a hybrid workplace, virtual
meeting rooms, or new software, we tend to resist or avoid them simply because
they’re new and we’re not used to them. This creates division. A company looking
to offer a hybrid workplace might encounter resistance from employees, managers,
and even customers who refuse to recognize this arrangement. What appears to be
a simple reluctance to change is actually a deep-seated fear of changing a
comfortable status quo. What you can do about this: Offer facts to neutralize
fear. People often use their own frame of reference if they are not given
something tangible to hold on to. If the change involves new technology,
demonstrate the technology. Let them see how it works. If the change is
organizational, such as a hybrid workspace, present the facts about how it will
work, what will change, and what will stay the same. Listen to and respond to
their questions and objections. Humans are dominated by emotion, and logic is
always playing catch-up.
The Four P's of Pragmatically Scaling Your Engineering Organization
Your people aren’t just the heart and soul of the company, they’re the building
blocks for its future. When you're growing rapidly it can be tempting to add
developers to your team as quickly as possible, but it's important to first
consider your company goals while remaining practical about how you’re scaling.
This is the key foundation for building the right organization. ... Scaling your
processes comes down to practical prioritization. It is crucial to clearly
establish processes that balance both short- and long-term wins for the company,
beginning with the systems that need to be fixed immediately. Start by
instituting a planning process looking at things from both an annual perspective
and quarterly, or even monthly– and try not to get bogged down deliberating over
a planning methodology in the first stage. ... Scaling the platform is often the
biggest challenge organizations face in the hyper-growth phase. But it’s
important to remember that building toward a north star doesn’t mean that you’re
building the north star. Now is the time to focus on intentional, iterative
improvement of the platform rather than implementing sweeping changes to your
product.
Quote for the day:
"It is one thing to rouse the passion of
a people, and quite another to lead them." -- Ron Suskind
No comments:
Post a Comment